Re: Wheezy update of w3m?
On 25 November 2016 at 14:39, Raphael Hertzog <email@example.com> wrote:
> On Fri, 25 Nov 2016, Ola Lundqvist wrote:
> > I did not want to tag then no-dsa (without further analysis) due to the
> > following:
> And you expected that further analysis to be done by whoever would pick
> the package?
Yes that or myself when I got some more time this week.
> In that case, you could have left a comment along the lines
> of "security team tagged the issues as no-dsa, I'm not 100% sure we should
> do the same in wheezy, please review the CVE and feel free to tag them
> no-dsa as well if you agree with the security team's assessment".
Good point. I'll add that next time. This time I'll just make them
no-dsa as you seem to have assessed them better than I do.
> > 1) Our recent discussion regarding heap overflow (causing arbitrary code
> > execuition) not being protected by the compiler.
> It's hard to assess this one. But here we need HTML input and I expect it
> to be harder to inject birary data hosting code that we would like to
That is a point. But are you sure it needs to be HTML? It can not be
just binary data over http? However I think binary data is quite easy
to inject. On the other hand I had not checked this in details.
> > 2) Stable security use no-dsa to mark that they are not immediately fixed
> > but could be fixed in a point release. Oldstable security do not have a
> > point release so therefore we should not use no-dsa as frequently.
> Right, but they tend to write "Minor issue, can be fixed in a point
> release" for the latter, this is not the case here.
I see. I was under the impression that this ", can be fixed in a point
relese" text is often forgotten. I'm probably wrong there.
> > However if you think they are minor enough I'll happily mark them no-dsa as
> > well.
> Please do.
Ok will do so.
> Raphaël Hertzog ◈ Debian Developer
> Support Debian LTS: http://www.freexian.com/services/debian-lts.html
> Learn to master Debian: http://debian-handbook.info/get/
--- Inguza Technology AB --- MSc in Information Technology ----
/ firstname.lastname@example.org Folkebogatan 26 \
| email@example.com 654 68 KARLSTAD |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /